MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

24.1.12

Since October 2011 we watch this affiliate system. Money Racing AV, a private PPS (Pay-Per-Sale) affiliate who spread actively fake antispywares (rogue). We have already seen this gang active in August 2009: A recent tour of scareware XII.Advertising can be found on various russian underground communities:

Step 1.
Domain parking.
For starting the work you need park with us your domain on which all traffic will go.
For this setup your domain registar account DNS
ns1.dns.com
ns2.dns.com
After this, add domain for our parking in the Links section.
You can add few domains in same time, this will create a queue and if your domains goes banned it will be automatically replaced with new.
You can use request for automatic acquisition of fresh domain and replacing it in our TDS if you are using it.
**Domains which are banned removes from our DNS automatically.

Step 2.
Traffic Back URL
You should set URL "Traffic Back"
We will return surfer to you for to the indicated "Traffic Back" URL if
A. His OS and Browser does not match to us or if he was here in last 7 days.
B. Surfer went through our website and we redirects him back to yours "Traffic Back" URL
For non Adult traffic, average percent Exploited 18-20%, callhome 55-60%.
You earn 100% from 1000 USA installs. At the same time getting all your traffic back.
We accept only USA, WinXP, Vista, Win7, IE, FF.
All other traffic will be returned to your Back URL even before getting to our page.

And if we go back in 2009 we can see that these scarewares connect directly to moneyracing.ru:

Malware MD5: E1EEDEEF721D6F87FFB0E1EC9CEE9F95

urls found inside:

Scareware GUI:

Now if we do a simple brain reflexion on 'Racing Money'
Money... Alright!
Racing... hmm what.. racing = cars
And if we check the old IP used in years 200..
we found lanos-club.ru a forum about cars, maybe it's just a coincidence.

Back about the moneyracing.ru domain, we have also this 'test.php' a malicious page detected as Blackhole Exploit Kit, (probably very old)
Obfuscated code lead to xmlalien.in/main.php?page=1321edc7470b347f

Now, what's the IP of money racing can told us:

The 302/403 responses of DNS are interesting because they return the name of machines
for example, on the money racing network: orderonline-1.com was used as billing machine.

Out of business apparently and according to him.
He told me to search on undergrounds forum a guys with the nick: 'бомбе'
But i've never find a 'Bomb' or someone else affiliated with money racing, so i've again contacted him, 18 December 2011:

Even with attractive USA traffics and all the requierement, he keep to tell me to search 'бомбе'
But it's more probable that he don't want partners for the moment due to the exposure of Vyacheslav Zakorzhevsky made in October 27.

Now more recently, in January, a colleague detected the domain core6575.opensourceavpro.com as malicious download, but the domain in question is from the money racing network.